Hi.
I am using a rule to add custom claims to tokens obtained using the resource owner password flow.
On two tenants, with identical app configurations, API configurations, rules and connections, one app obtains all custom claims, properly namespaced, and the other doesn’t.
I can’t seem to understand why this is happening. Is there a hidden grant I need to set?
Sample “stunted” jwt payload:
{
"iss": "https://<xxx>.auth0.com/",
"sub": "auth0|<xxx>",
"aud": [
"https://<xxx>.appspot.com/graphql",
"https://<xxx>.auth0.com/userinfo"
],
"iat": 1649396829,
"exp": 1649483229,
"azp": "<xxx>",
"scope": "openid profile email offline_access",
"gty": "password"
}
Sample valid token from the other tenant:
{
"https://<namespace>/access": "ADMIN",
"https://<namespace>/id": {},
"https://<namespace>/memberNumber": {},
"iss": "https://<xxx>.auth0.com/",
"sub": "auth0|<xxx>",
"aud": [
"https://<xxx>.appspot.com/graphql",
"https://<xxx>.auth0.com/userinfo"
],
"iat": 1649397775,
"exp": 1649484175,
"azp": "<xxx>",
"scope": "openid profile email offline_access",
"gty": "password"
}
The rule is (abriged):
function (user, context, callback) {
const namespaces = ['https://<xxx>'];
namespaces.forEach(namespace => {
user.app_metadata = user.app_metadata || {};
context.idToken[namespace + '/access'] = user.app_metadata.access;
context.accessToken[namespace + '/access'] = user.app_metadata.access;
user.app_metadata.id = user.app_metadata.id || {};
context.idToken[namespace + '/id'] = user.app_metadata.id;
context.accessToken[namespace + '/id'] = user.app_metadata.id;
// ...
});
callback(null, user, context);
}
Thank you in advance for guidelines and help.